TRUSTe TRUSTe LLC Independent GDPR Privacy Program Management 
Validation Findings Letter 


A 
a Expiration date: February 17, 2023 


To the Management of Red Hat, Inc. 


Scope 

TRUSTe LLC (“TRUSTe”), a subsidiary of TrustArc Inc (“TrustArc”), has reviewed the global 
privacy program of Red Hat, Inc. and related entities (“Organization” or “Red Hat”) as of 
February 17, 2022 against the 40 GDPR Privacy Program Management Validation 
Requirements (the “Validation Requirements”) comprising the TrustArc GDPR Privacy Program 
Management Compliance Validation. These Validation Requirements focus on program-level 
measures for demonstrating that the processing of personal information conducted by Red Hat 
is performed in compliance with the EU General Data Protection Regulation (GDPR). The 
Validation Requirements cover the following 8 areas aligned with the BUILD and 
DEMONSTRATE Standards set forth in the TrustArc Privacy & Data Governance (“P&DG” 
Framework , for establishing, maintaining, and continually improving a GDPR-compliant privacy 
program aligned with the ISO 27001 International Standard for Information Security 
Management Systems: 


1. Integrated Governance, including program governance, appointment of a privacy 
leader and/or a DPO 

2. Risk Management, including privacy and security risks as well as privacy by design 

3. Resource Allocation, including senior management engagement, privacy 
resources, competency and the role of the DPO 

4. Policies and Standards, including establishment, communication and enforceability 

5. Processes, including vendor management, records of data processing, legal basis of 
processing, incident management, DPIAs, complaint handling, individual rights 
management, international data transfers and consent management 

6. Awareness and Training, including awareness of their obligations and sanctions for 
non-compliance as well as training on responsibilities 

7. Monitoring and Assurance, including evaluation and audit of ongoing compliance 

8. Reporting and Certification, including reporting on compliance to senior leadership 
and cooperation with regulatory authorities 


Organization’s Responsibilities 

In connection with the Validation, Red Hat was responsible for providing information through a 
GDPR Validation Assessment regarding its GDPR compliance program and demonstrating with 
supporting evidence how it complies with each of the applicable Validation Requirements. 


Responsibilities of TRUSTe 

Our responsibility was to determine whether Red Hat’s GDPR Privacy Program complies with 
the Validation Requirements based on the information provided by the Organization. A 
member of our Global Privacy Solutions team reviewed the GDPR Validation Assessment 
submitted by the Organization according to the Validation Requirements. If any gaps were 
identified as needing remediation, the Organization was informed of the remediation 


necessary to be completed by the Organization prior to a final evaluation of whether the 
Validation Requirements have been sufficiently demonstrated by the Organization. After the 
Organization remediated any identified gaps and submitted the completed GDPR Validation 
Assessment, we reviewed the completed GDPR Validation Assessment in order to validate that 
the Organization has met the applicable Validation Requirements. 


A validation review of the Organization’s GDPR Privacy Program involves a comprehensive 
evaluation of program-level measures and evidence of those measures to ensure that the 
processing of personal information conducted by them, or by a third party processor on their 
behalf, is performed in compliance with GDPR and in alignment with ISO 27001 International 
Standard for Information Security Management Systems. 


Inherent Limitations 
Because of their nature and inherent limitations, program-level measures of the Organization 
may not always operate effectively to meet the applicable Validation Requirements. 
Furthermore, our findings herein are subject to the risk that the Privacy Program, or any 
component of the program, may change or that program-level measures implemented by the 
Organization may become ineffective or fail. 


Findings 
In our opinion, in all material respects, based on the descriptions and supporting evidence of 
program-level measures identified in Red Hat's GDPR Validation Assessment: 
e The applicable program-level measures as further described in the accompanying 
TRUSTe Validation Report have been implemented as of February 17, 2022. 
e The measures described in the GDPR Validation Assessment were suitably designed to 
provide reasonable assurance that the Validation Requirements would be met if the 
program-level measures operated effectively as of February 17, 2022. 


Restricted Use 
This Findings Letter and the accompanying report is for the intended use of Red Hat as of 
February 17, 2022: 

e This Findings Letter and the accompanying Compliance Validation Report, and any 
Summary, provided by TRUSTe may be used by the Organization until the 
expiration date listed below. 

e Only the Findings Letter and accompanying Compliance Validation Report represent 
the official validation determination of TRUSTe. 

e Any modifications or alterations to the Findings Letter, the accompanying 
Compliance Validation Report, or any Summary, from the versions of those 
documents issued by TRUSTe shall render those documents invalid. 

e Organizations must undergo a new GDPR Compliance Validation in order to make any 
representations whatsoever as having been determined as GDPR compliant by 
TRUSTe, TrustArc, or any subsidiary or successor in interest to TRUSTe or TrustArc, 
after the expiration date. 


e This Findings Letter can be shared with the Organization’s customers, contractors, and 
other stakeholders until the expiration date. 

e This Findings Letter, the accompanying report, and any Summary provided by TRUSTe 
may be published on the authorized corporate web site(s) of the Organization, as listed 
in the Annex to this Findings Letter. 

e This Findings Letter expires on February 17, 2023. 


This Findings letter and the accompanying report are not intended to be, and should not be 
used nor relied upon by anyone other than the Organization and, as determined in the sole 
discretion of the Organization, the Organization’s customers, contractors and other permitted 
stakeholders. 


[GY e 
Chief Financial Officer, TRUSTe LLC 
February 17, 2022 


ANNEX - Authorized Corporate Websites 


redhat.com 


